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AMENDMENTS TO THE CLAIMS 

1. (Previously presented) A method for processing 
communication traffic that is directed to a group of 
addresses on a network, comprising: 

identifying a subset of the group of the addresses 
such that the addresses in the subset are expected to 
receive smaller amounts of the communication traffic than 
other addresses in the group; 

monitoring the communication traffic that is 
directed to the addresses in the subset; 

determining respective baseline characteristics of 
the communication traffic that is directed to each of the 
addresses in the subset; 

detecting a deviation from the respective baseline 
characteristics of the communication traffic directed to 
at least one of the addresses in the subset, wherein the 
deviation is indicative that at least a portion of the 
communication traffic is of potentially malicious origin; 
and 

responsively to detecting the deviation, filtering 
the communication traffic that is directed to all of the 
addresses in the group so as to remove at least some of 
the communication traffic that is of the malicious 
origin . 

2-3. (Canceled) 

4. (Original) The method according to claim 1, wherein 
the baseline characteristics comprise a distribution of 
communication protocols used in generating the 
communication traffic. 

5. (Original) The method according to claim 1, wherein 
the baseline characteristics comprise a distribution of 
ports to which the communication traffic is directed. 
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6. (Original) The method according to claim 1, wherein 
the baseline characteristics comprise a distribution of 
source addresses of the communication traffic. 

7. (Original) The method according to claim 1, wherein 
the baseline characteristics comprise a distribution of 
sizes of data packets sent to the addresses in the group. 

8. (Original) The method according to claim 1, wherein 
the baseline characteristics are indicative of a 
distribution of operating systems running on computers 
that have transmitted the communication traffic. 

9. (Previously presented) The method according to claim 
8, wherein detecting the deviation comprises reading a 
Time-To-Live (TTL) field in Internet Protocol headers of 
data packets sent to the addresses in the group, and 
detecting a change in values of the TTL field relative to 
the baseline characteristics. 

10. (Original) The method according to claim 1, wherein 
detecting the deviation comprises detecting events that 
are indicative of a failure in communication between a 
first computer at one of the addresses in the group and a 
second computer at another location in the network. 

11. (Original) The method according to claim 10, wherein 
detecting the events comprises detecting failures to 
establish a Transmission' Control Protocol (TCP) 
connection . 

12. (Original) The method according to claim 1, and 
comprising receiving packets that are indicative of a 
communication failure in the network that is 
characteristic of a worm infection, and wherein filtering 
the communication traffic comprises deciding to filter 
the communication traffic responsively to receiving the 
packets . 



3 



47982A1 



13. (Original) The method according to claim 12, wherein 
receiving the packets comprises receiving Internet 
Control Message Protocol (ICMP) unreachable packets. 

14. (Original) The method according to claim 1, wherein 
monitoring the communication traffic comprises making a 
determination that one or more packets transmitted over 
the network are ill-formed, and wherein filtering the 
communication traffic comprises deciding to filter the 
communication traffic responsively to the ill-formed 
packets . 

15. (Original) The method according to claim 1, wherein 
detecting the deviation comprises incrementing a count of 
events that are indicative of the malicious origin of the 
communication traffic, and deciding whether to filter the 
communication traffic responsively to the count. 

16. (Previously presented) The method according to claim 

15, wherein detecting the deviation comprises receiving 
data packets of potentially malicious origin, each data 
packet having a respective source address and destination 
address, and wherein incrementing the count comprises 
determining an amount by which to increment the count 
responsively to a given data packet depending upon 
whether among the data packets received previously, 
responsively to which the count was incremented, at least 
one data packet had the same respective source address 
and at least one data packet had the same respective 
destination address as the given data packet. 

17. (Previously presented) The method according to claim 

16, wherein determining the amount by which to increment 
the count comprises incrementing the count only if none 
of the data packets received previously, responsively to 
which the count was incremented, had at least one of the 
same respective source address and the same respective 
destination address as the given data packet. 
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18. (Original) The method according to claim 1, wherein 
detecting the deviation comprises detecting a type of the 
communication traffic that appears to be of the malicious 
origin, and wherein filtering the communication traffic 
comprises intercepting the communication traffic of the 
detected type. 

19. (Original) The method according to claim 18, wherein 
detecting the type comprises determining at least one of 
a communication protocol and a port that is 
characteristic of the communication traffic. 

20. (Original) The method according to claim 18, wherein 
detecting the type comprises determining one or more 
source addresses of the communication traffic that 
appears to be of the malicious origin, and intercepting 
the communication traffic sent from the one or more 
source addresses. 

21. (Original) The method according to claim 1, wherein 
detecting the deviation comprises detecting a type of the 
communication traffic that appears to be of the malicious 
origin, and wherein monitoring the communication traffic 
comprises collecting specific information relating to the 
traffic of the detected type. 

22. (Original) The method according to claim 21, wherein 
collecting the specific information comprises determining 
one or more source addresses of the traffic of the 
detected type. 

23. (Original) The method according to claim 1, wherein 
monitoring and filtering the communication traffic 
comprise monitoring and filtering the communication 
traffic that is transmitted into a protected area of the 
network containing the group of the addresses so as to 
exclude the communication traffic from the area. 

24. (Original) The method according to claim 23, and 
comprising monitoring the communication traffic that is 
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transmitted by computers in the protected area so as to 
detect an infection of one or more of the computers by a 
malicious program. 

25-28 . (Canceled) 

29. (Previously presented) A method for processing 
communication traffic, comprising: 

monitoring the communication traffic on a network so 
as to detect packets that are indicative of a 
communication failure in the network that is 
characteristic of a worm infection; 

detecting an increase in a rate of arrival of the 
packets that are indicative of the communication failure; 
and 

responsively to the increase, filtering the 
communication traffic so as to remove at least a portion 
of the communication traffic that is generated by the 
worm infection. 

30. (Original) The method according to claim 29, wherein 
monitoring the communication traffic comprises detecting 
Internet Control Message Protocol (ICMP) unreachable 
packets . 

31. (Original) The method according to claim 29, wherein 
monitoring the communication traffic comprises detecting 
failures to establish a Transmission Control Protocol 
(TCP) connection. 

32. (Previously presented) A method for processing 
communication traffic, comprising: 

monitoring the communication traffic on a network so 
as to detect ill-formed packets; 

making a determination, responsively to the ill- 
formed packets, that at least a portion of the 
communication traffic has been generated by a worm 
infection; and 

responsively to the determination, filtering the 
communication traffic so as to remove at least the 
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portion of the communication traffic that is generated by 
the worm infection. 

33. (Original) The method according to claim 32, wherein 
the packets comprise a header specifying a communication 
protocol, and wherein monitoring the communication 
traffic comprises determining that the packets contain 
data that are incompatible with the specified 
communication protocol. 

34. (Original) The method according to claim 32, wherein 
the packets comprise a header specifying a packet length, 
and wherein monitoring the communication traffic 
comprises determining that the packets contain an amount 
of data that is incompatible with the specified packet 
length. 

35. (Previously presented) Apparatus for processing 
communication traffic that is directed to a group of 
addresses on a network, comprising a guard device, which 
is adapted to identify a selected subset of the group of 
the addresses such that the addresses in the subset are 
expected to receive smaller amounts of the communication 
traffic than other addresses in the group, to monitor the 
communication traffic that is directed to the addresses 
in the subset, to determine respective baseline 
characteristics of the communication traffic that is 
directed to each of the addresses in the subset, to 
detect a deviation from the respective baseline 
characteristics of the communication traffic directed to 
at least one of the addresses in the subset, wherein the 
deviation is indicative that at least a portion of the 
communication traffic is of potentially malicious origin, 
and responsively to detecting the deviation, to filter 
the communication traffic that is directed to all of the 
addresses in the group so as to remove at least some of 
the communication traffic that is of the malicious 
origin . 
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36-37. (Canceled) 

38. (Original) The apparatus according to claim 35, 
wherein the baseline characteristics comprise a 
distribution of communication protocols used in 
generating the communication traffic. 

39. (Original) The apparatus according to claim 35, 
wherein the baseline characteristics comprise a 
distribution of ports to which the communication traffic 
is directed. 

40. (Original) The apparatus according to claim 35, 
wherein the baseline characteristics comprise a 
distribution of source addresses of the communication 
traffic . 

41. (Original) The apparatus according to claim 35, 
wherein the baseline characteristics comprise a 
distribution of sizes of data packets sent to the 
addresses in the group. 

42. (Original) The apparatus according to claim 35, 
wherein the baseline characteristics are indicative of a 
distribution of operating systems running on computers 
that have transmitted the communication traffic. 

43. (Previously presented) The apparatus according to 
claim 42, wherein the guard device is adapted to read a 
Time-To-Live (TTL) field in Internet Protocol headers of 
data packets sent to the addresses in the group, and to 
detect a change in values of the TTL field relative to 
the baseline characteristics due . to the distribution of 
the operating systems . 

44. (Original) The apparatus according to claim 35, 
wherein the guard device is adapted to detect events that 
are indicative of a failure in communication between a 
first computer at one of the addresses in the group and a 
second computer at another location in the network. 
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45. (Original) The apparatus according to claim 44, 
wherein the events comprise failures to establish a 
Transmission Control Protocol (TCP) connection. 

46. (Original) The apparatus according to claim 35, 
wherein the guard device is adapted to receive packets 
that are indicative of a communication failure in the 
network that is characteristic of a worm infection, and 
to decide to filter the communication traffic 
responsively to receiving the packets. 

47. (Original) The apparatus according to claim 46, 
wherein the packets comprises Internet Control Message 
Protocol (ICMP) unreachable packets. 

48. (Original) The apparatus according to claim 35, 
wherein the guard device is adapted to make a 
determination that one or more packets transmitted over 
the network are ill-formed, and to decide to filter the 
communication traffic responsively to the ill-formed 
packets . 

49. (Original) The apparatus according to claim 35, 
wherein the guard device is adapted to increment a count 
of events that are indicative of the malicious origin of 
the communication traffic, and to decide whether to 
filter the communication traffic responsively to the 
count . 

50. (Previously presented) The apparatus according to 
claim 49, wherein the guard device is coupled to receive 
data packets of potentially malicious origin, each data 
packet having a respective source address and destination 
address, and is adapted to determine an amount by which 
to increment the count responsively to a given data 
packet depending upon whether among the data packets 
received previously, responsively to which the count was 
incremented, at least one data packet had the same 
respective source address and at least one data packet 
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had the same respective destination address as the given 
data packet. 

51. (Previously presented) The apparatus according to 
claim 40, wherein the guard device is adapted to 
increment the count only if none of the data packets 
received previously, responsively to which the count was 
incremented, had at least one of the same respective 
source address and the same respective destination 
address as the given data packet. 

52. (Original) The apparatus according to claim 35, 
wherein the guard device is adapted to detect a type of 
the communication traffic that appears to be of the 
malicious origin, and to filter the communication traffic 
by intercepting the communication traffic of the detected 
type. 

53. (Original) The apparatus according to claim 52, 
wherein the type of the communication traffic that 
appears to be of the malicious origin is characterized by 
at least one of a communication protocol and a port. 

54. (Original) The apparatus according to claim 52, 
wherein the guard device is adapted to determine one or 
more source addresses of the communication traffic that 
appears to be of the malicious origin, and to intercept 
the communication traffic sent from the one or more 
source addresses. 

55. (Original) The apparatus according to claim 35, 
wherein the guard device is adapted to detect a type of 
the communication traffic that appears to be of the 
malicious origin, and to monitor the communication 
traffic so as to collect specific information relating to 
the traffic of the detected type. 

56. (Original) The apparatus according to claim 55, 
wherein the specific information comprises one or more 
source addresses of the traffic of the detected type. 
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57. (Original) The apparatus according to claim 35, 
wherein the guard device is adapted to monitor and filter 
the communication traffic that is transmitted into a 
protected area of the network containing the group of the 
addresses so as to exclude the communication traffic from 
the area. 

58. (Original) The apparatus according to claim 57, 
wherein the guard device is adapted to monitor the 
communication traffic that is transmitted by computers in 
the protected area so as to detect an infection of one or 
more of the computers by a malicious program. 

59-62. (Canceled) 

63. (Previously presented) Apparatus for processing 
communication traffic, comprising a guard device, which 
is adapted to monitor the communication traffic on a 
network so as to detect packets that are indicative of a 
communication failure in the network that is 
characteristic of a worm infection, to detect an increase 
in a rate of arrival of the packets that are indicative 
of the communication failure, and responsively to the 
increase, to filter the communication traffic so as to 
remove at least a portion of the communication traffic 
that is generated by the worm infection. 

64. (Original) The apparatus according to claim 63, 
wherein the guard device is adapted to detect Internet 
Control Message Protocol (ICMP) unreachable packets as an 
indication of the communication failure. 

65. (Original) The apparatus according to claim 63, 
wherein the guard device is adapted to detect failures to 
establish a Transmission Control Protocol (TCP) 
connection. 

66. (Previously presented) Apparatus for processing 
communication traffic, comprising a guard device, which 
is adapted to monitor the communication traffic on a 
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network so as to detect ill-formed packets, to make a 
determination, responsively to the ill-formed packets, 
that at least a portion of the communication traffic has 
been generated by a worm infection, and responsively to 
the determination, to filter the communication traffic so 
as to remove at least the portion of the communication 
traffic that is generated by the worm infection. 

67. (Original) The apparatus according to claim 66, 
wherein the packets comprise a header specifying a 
communication protocol, and wherein the guard device is 
adapted to detect that the packets contain data that are 
incompatible with the specified communication protocol. 

68. (Original) The apparatus according to claim 66, 
wherein the packets comprise a header specifying a packet 
length, and wherein the guard device is adapted to detect 
that the packets contain an amount of data that is 
incompatible with the specified packet length. 

69. (Previously presented) A computer software product 
for processing communication traffic that is directed to 
a group of addresses on a network, comprising a computer- 
readable medium in which program instructions are stored, 
which instructions, when read by a computer, cause the 
computer to identify a selected subset of the group of 
the addresses such that the addresses in the subset are 
expected to receive smaller amounts of the communication 
traffic than other addresses in the group, to monitor the 
communication traffic that is directed to the addresses 
in the subset, to determine respective baseline 
characteristics of the communication traffic that is 
directed to each of the addresses in the subset, to 
detect a deviation from the respective baseline 
characteristics of the communication traffic directed to 
at least one of the addresses in the subset, wherein the 
deviation is indicative that at least a portion of the 
communication traffic is of potentially malicious origin, 
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and responsively to detecting the deviation, to filter 
the communication traffic that is directed to all of the 
addresses in the group so as to remove at least some of 
the communication traffic that is of the malicious 
origin . 

70-71. (Canceled) 

72. (Original) The product according to claim 69, 
wherein the baseline characteristics comprise a 
distribution of communication protocols used in 
generating the communication traffic. 

73. (Original) The product according to claim 69, 
wherein the baseline characteristics comprise a 
distribution of ports to which the communication traffic 
is directed. 

74. (Original) The product according to claim 69, 
wherein the baseline characteristics comprise a 
distribution of source addresses of the communication 
traffic . 

75. (Original) The product according to claim 69, 
wherein the baseline characteristics comprise a 
distribution of sizes of data packets sent to the 
addresses in the group. 

76. (Original) The product according to claim 69, 
wherein the baseline characteristics are indicative of a 
distribution of operating systems running on computers 
that have transmitted the communication traffic. 

77. (Previously presented) The product according to 
claim 76, wherein instructions cause the computer to read 
a Time-To-Live (TTL) field in Internet Protocol headers 
of data packets sent to the addresses in the group, and 
to detect a change in values of the TTL field relative to 
the baseline characteristics due to the distribution of 
the operating systems. 
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78. (Original) The product according to claim 69, 
wherein the instructions cause the computer to detect 
events that are indicative of a failure in communication 
between a first computer at one of the addresses in the 
group and a second computer at another location in the 
network. 

79. (Original) The product according to claim 78, 
wherein the events comprise failures to establish a 
Transmission Control Protocol (TCP) connection. 

80. (Original) The product according to claim 69, 
wherein the instructions cause the computer to receive 
packets that are indicative of a communication failure in 
the network that is characteristic of a worm infection, 
and to decide to filter the communication traffic 
responsively to receiving the packets. 

81. (Original) The product according to claim 80, 
wherein the packets comprises Internet Control Message 
Protocol (ICMP) unreachable packets. 

82. (Original) The product according to claim 69, 
wherein the instructions cause the computer to make a 
determination that one or more packets transmitted over 
the network are ill-formed, and to decide to filter the 
communication, traffic responsively to the ill-formed 
packets. 

83. (Original) The product according to claim 69, 
wherein the instructions cause the computer to increment 
a count of events that are indicative of the malicious 
origin of the communication traffic, and to decide 
whether to filter the communication traffic responsively 
to the count. 

84. (Previously presented) The product according to 
claim 83, wherein when the computer is coupled to receive 
data packets of potentially malicious origin, each data 
packet having a respective source address and destination 
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address, the instructions cause the computer to determine 
an amount by which to increment the count responsively to 
a given data packet depending upon whether among the data 
packets received previously, responsively to which the 
count was incremented, at least one data packet had the 
same respective source address and at least one data 
packet had the same respective destination address as the 
given data packet. 

85. (Previously presented) The product according to 
claim 84, wherein the instructions cause the computer to 
increment the count only if none of the data packets 
received previously, responsively to which the count was 
incremented, had at least one of the same respective 
source address and the same respective destination 
address as the given data packet. 

86. (Original) The product according to claim 69, 
wherein the instructions cause the computer to detect a 
type of the communication traffic that appears to be of 
the malicious origin, and to filter the communication 
traffic by intercepting the communication traffic of the 
detected type. 

87. (Original) The product according to claim 86, 
wherein the type of the communication traffic that 
appears to be of the malicious origin is characterized by 
at least one of a communication protocol and a port. 

88. (Original) The product according to claim 86, 
wherein the instructions cause the computer to determine 
one or more source addresses of the communication traffic 
that appears to be of the malicious origin, and to 
intercept the communication traffic sent from the one or 
more source addresses. 

89. (Original) The product according to claim 69, 
wherein the instructions cause the computer to detect a 
type of the communication traffic that appears to be of 
the malicious origin, and to monitor the communication 
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traffic so as to collect specific information relating to 
the traffic of the detected type. 

90. (Original) The product according to claim 89, 
wherein the specific information comprises one or more 
source addresses of the traffic of the detected type. 

91. (Original) The product according to claim 69, 
wherein the instructions cause the computer to monitor 
and filter the communication traffic that is transmitted 
into a protected area of the network containing the group 
of the addresses so as to exclude the communication 
traffic from the area. 

92. (Original) The product according to claim 91, 
wherein the instructions cause the computer to monitor 
the communication traffic that is transmitted by 
computers in the protected area so as to detect an 
infection of one or more of the computers by a malicious 
program. 

93. (Canceled) 

97. (Previously presented) A computer software product, 
comprising a computer-readable medium in which program 
instructions are stored, which instructions, when read by 
a computer, cause the computer to monitor the 
communication traffic on a network so as to detect, 
packets that are indicative of a communication failure in 
the network that is characteristic of a worm infection, 
to detect an increase in a rate of arrival of the packets 
that are indicative of the communication failure, and 
responsively to the increase, to filter the communication 
traffic so as to remove at least a portion of the 
communication traffic that is generated by the worm 
infection . 

98. (Original) The product according to claim 97, 
wherein the instructions cause the computer to detect 



16 



47982A1 



Internet Control Message Protocol (ICMP) unreachable 
packets as an indication of the communication failure. 

99. (Original) The product according to claim 97, 
wherein the instructions cause the computer to detect 
failures to establish a Transmission Control Protocol 
(TCP) connection. 

100. (Previously presented) A computer software product, 
comprising a computer-readable medium in which program 
instructions are stored, which instructions, when read by 
a computer, cause the computer to monitor the 
communication traffic on a network so as to detect ill- 
formed packets, to make a determination, responsively to 
the ill-formed packets, that at least a portion of the 
communication traffic has been generated by a worm 
infection, and responsively to the determination, to 
filter the communication traffic so as to remove at least 
the portion of the communication traffic that is 
generated by the worm infection. 

101. (Original) The product according to claim 100, 
wherein the packets comprise a header specifying a 
communication protocol, and wherein the instructions 
cause the computer to detect that the packets contain 
data that are incompatible with the specified 
communication protocol. 

102. (Original) The product according to claim 100, 
wherein the packets comprise a header specifying a packet 
length, and wherein the instructions cause the computer 
to detect that the packets contain an amount of data that 
is incompatible with the specified packet length. 

103. (Previously presented) The method according to claim 
1, wherein identifying the subset comprises selecting 
clients for inclusion in the subset while excluding 
servers . 
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104. (Previously presented) The method according to claim 
1, wherein identifying the subset comprises selecting 
trap addresses that are not used by actual computers for 
inclusion in the subset. 

105. (Previously presented) The apparatus according to 
claim 35, wherein the subset includes clients while 
excluding servers . 

106. (Previously presented) The apparatus according to 
claim 35, wherein the subset includes trap addresses that 
are not used by actual computers. 

107. (Previously presented) The product according to 
claim 69, wherein the subset includes clients while 
excluding servers . 

108. (Previously presented) The product according to 
claim 69, wherein the subset includes trap addresses that 
are not used by actual computers. 
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